Route Claude Code Through AWS Bedrock Using Bifrost

Claude Code connects to Anthropic's API by default, but many engineering teams need their AI coding sessions to run through AWS Bedrock: for compliance reasons, to use existing AWS budgets, to keep traffic within a VPC, or to apply IAM-based access controls. Bifrost, the open-source AI gateway built in Go by Maxim AI, sits between Claude Code and Bedrock, handling SigV4 request signing, model aliasing, and all protocol translation transparently. Developers point a single environment variable at Bifrost; from there, every coding session routes through Bedrock without any changes to how they use Claude Code.

Why Route Claude Code Through AWS Bedrock

Connecting Claude Code directly to Bedrock requires each developer to configure AWS credentials, set CLAUDE_CODE_USE_BEDROCK=1, pin inference profile IDs, and handle credential refresh when SSO tokens expire. That setup works for a single machine, but it does not scale to an engineering organization.

Routing through Bifrost centralizes that surface:

• AWS credentials and SigV4 signing live in one place, on the gateway, not on every developer's workstation
• Developers authenticate to Bifrost with a virtual key instead of AWS credentials
• Per-team budget and rate limits enforce cost controls before requests reach Bedrock
• Automatic failover routes to Anthropic's native API if Bedrock is unavailable, without interrupting the coding session
• All requests are logged with model, token counts, latency, and cost, giving engineering managers visibility across the organization

For teams in regulated industries or strict VPC environments, Bifrost's in-VPC and air-gapped deployment options mean no traffic leaves the private network.

Prerequisites

Before configuring Bifrost, you need:

• An AWS account with Bedrock model access enabled for Anthropic models (submit the use-case form in the Amazon Bedrock console; access is granted immediately)
• IAM credentials with at least bedrock:InvokeModel and bedrock:ListFoundationModels permissions
• Claude Code installed (curl -fsSL <https://claude.ai/install.sh> | bash)
• Bifrost running locally or on a server your developers can reach

Step 1: Run Bifrost

Bifrost starts in under a minute with no configuration file required:

# via npx
npx -y @maximhq/bifrost

# or Docker
docker run -p 8080:8080 maximhq/bifrost

The web UI is available at http://localhost:8080. For production deployments, see the Kubernetes deployment guide or the clustering docs for high-availability configurations.

Step 2: Configure AWS Bedrock as a Provider

Bifrost supports four AWS authentication methods. Choose the one that matches your deployment.

Explicit Credentials

Provide an access key and secret key directly. This is the simplest option for local development and CI pipelines.

# Create the Bedrock provider
curl -X POST <http://localhost:8080/api/providers> \\
  -H "Content-Type: application/json" \\
  -d '{"provider": "bedrock"}'

# Add a key with explicit credentials
curl -X POST <http://localhost:8080/api/providers/bedrock/keys> \\
  -H "Content-Type: application/json" \\
  -d '{
    "name": "bedrock-key",
    "models": ["*"],
    "weight": 1.0,
    "aliases": {
      "claude-sonnet-4-6": "global.anthropic.claude-sonnet-4-6",
      "claude-haiku-4-5": "global.anthropic.claude-haiku-4-5"
    },
    "bedrock_key_config": {
      "access_key": "env.AWS_ACCESS_KEY_ID",
      "secret_key": "env.AWS_SECRET_ACCESS_KEY",
      "region": "us-east-1"
    }
  }'

The aliases map logical model names to Bedrock inference profile IDs. Claude Code sends claude-sonnet-4-6; Bifrost rewrites it to global.anthropic.claude-sonnet-4-6 before signing and forwarding the request to Bedrock.

IAM Role (Inherited Credentials)

For deployments on EKS, ECS, or EC2, leave the credentials empty. Bifrost resolves them from the standard AWS credential chain: IRSA, task roles, instance profiles, and environment variables.

{
  "name": "bedrock-iam",
  "models": ["*"],
  "weight": 1.0,
  "aliases": {
    "claude-sonnet-4-6": "global.anthropic.claude-sonnet-4-6"
  },
  "bedrock_key_config": {
    "region": "us-east-1"
  }
}

Add role_arn to assume an IAM role before signing, which is the standard pattern for cross-account Bedrock access.

STS AssumeRole

For cross-account Bedrock access, add role_arn to any credential source. Bifrost calls STS, assumes the role, and uses the resulting temporary credentials to sign every request.

{
  "bedrock_key_config": {
    "region": "us-east-1",
    "role_arn": "arn:aws:iam::123456789012:role/BedrockRole",
    "external_id": "env.AWS_EXTERNAL_ID",
    "session_name": "bifrost-session"
  }
}

Full field reference and the config.json and Go SDK configuration paths are in the AWS Bedrock provider docs.

Step 3: Model Aliasing for Claude Code

Claude Code operates on three model tiers: Sonnet (default for most tasks), Opus (complex reasoning), and Haiku (fast background tasks). Each tier maps to an environment variable that accepts a Bedrock inference profile ID.

Bedrock requires inference profiles rather than bare model IDs. Cross-region inference profiles use the global.* or us.* prefix and distribute load across AWS regions automatically:

Configure these as aliases on the Bedrock key in Bifrost (as shown in Step 2), or pin them via the Bifrost web UI under Dashboard > Models > Model Providers > AWS Bedrock > Key.

Step 4: Create a Virtual Key

Virtual keys are Bifrost's primary governance mechanism. Instead of distributing AWS credentials to developers, issue each developer or team a virtual key. Each key can carry its own budget limit, rate limits, and allowed provider configuration.

curl -X POST <http://localhost:8080/api/virtual-keys> \\
  -H "Content-Type: application/json" \\
  -d '{
    "name": "engineering-team",
    "monthly_budget": 500,
    "provider": "bedrock"
  }'

The response includes a key value. Developers use this as their ANTHROPIC_AUTH_TOKEN. No AWS credentials ever leave the gateway.

Step 5: Connect Claude Code to Bifrost

With Bifrost running and the Bedrock provider configured, there are two ways to point Claude Code at the gateway: editing settings.json directly, or using the Bifrost CLI for a guided launch that sets all environment variables automatically without any file editing.

Option A: Edit settings.json

Add the following to ~/.claude/settings.json:

{
  "env": {
    "ANTHROPIC_BASE_URL": "<http://your-bifrost-host:8080/anthropic>",
    "ANTHROPIC_AUTH_TOKEN": "your-virtual-key",
    "ANTHROPIC_DEFAULT_SONNET_MODEL": "bedrock/global.anthropic.claude-sonnet-4-6",
    "ANTHROPIC_DEFAULT_HAIKU_MODEL": "bedrock/global.anthropic.claude-haiku-4-5"
  }
}

The bedrock/ prefix tells Bifrost which provider to use. Claude Code itself has no awareness of Bedrock; it sends requests to Bifrost's Anthropic-compatible endpoint, and Bifrost handles the translation, SigV4 signing, and forwarding.

Run /status inside Claude Code to confirm the connection. The model field should show the Bedrock inference profile ID.

Option B: Use the Bifrost CLI

Bifrost CLI is an interactive terminal tool that launches Claude Code with the correct environment variables already injected. Instead of editing settings.json, it presents a guided setup flow, fetches available models directly from the running gateway, and handles credential injection — including virtual key storage in the OS keyring (never plaintext on disk). Requires Node.js 18+.

With the gateway running, open a second terminal and run:

npx -y @maximhq/bifrost-cli

The CLI walks through five prompts:

1. Base URL — enter your Bifrost gateway address (default: http://localhost:8080)
2. Virtual key — enter the virtual key from Step 4, or press Enter to skip
3. Harness — select Claude Code
4. Model — the CLI fetches all models available in the gateway; type bedrock/global.anthropic.claude-sonnet-4-6 to filter to Bedrock specifically, then select it
5. Launch — review the summary and press Enter

The CLI sets ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, and the model environment variables, then launches Claude Code inside a persistent tabbed terminal UI.

Tabbed sessions. Press Ctrl+B at any time to open the tab bar. From there, open a second session with a different Bedrock model tier (for example, bedrock/global.anthropic.claude-haiku-4-5 for lighter tasks), close tabs, or switch between running sessions without re-running the CLI.

MCP auto-attach. When launching Claude Code through the Bifrost CLI, the MCP server at /mcp is registered automatically. Every tool configured in Bifrost is available inside the coding session with no claude mcp add commands needed.

The CLI persists your last-used gateway URL and model in ~/.bifrost/config.json. On the next run, press Enter at the summary screen to re-launch with the same configuration immediately.

Step 6: Mid-Session Model Switching

Once Claude Code is connected to Bifrost, developers can switch models mid-session without restarting:

/model bedrock/global.anthropic.claude-sonnet-4-6
/model bedrock/global.anthropic.claude-haiku-4-5

# Switch to Anthropic direct for comparison
/model claude-sonnet-4-6

# Route to another provider entirely
/model vertex/claude-sonnet-4-6

The switch is instantaneous and conversation context carries over. This lets teams move to a cheaper Bedrock model for lighter tasks within the same session, or route to Anthropic's native API when a Bedrock inference profile is unavailable.

Adding Failover Between Bedrock and Anthropic

A common enterprise configuration runs Bedrock as the primary provider with Anthropic's native API as the fallback. When Bedrock returns a rate limit error or a 5xx response, Bifrost automatically retries on the next available provider with no interruption to the Claude Code session.

Configure this in the automatic fallbacks section of the Bifrost web UI, or via the providers API. Bifrost's load balancing supports weighted distribution, so teams can split traffic across Bedrock regions or split between Bedrock and Anthropic based on throughput requirements.

This configuration is a core part of the LLM Gateway capabilities that distinguish a gateway from a simple proxy.

Enterprise Considerations

For organizations deploying Claude Code at scale, routing through Bifrost unlocks several additional controls:

Audit logs. Every request, model response, token count, and cost is logged with an immutable trail. Bifrost's audit log output meets SOC 2, GDPR, HIPAA, and ISO 27001 evidence requirements.

IAM and SSO. Bifrost integrates with Okta, Microsoft Entra, and other OIDC providers via user provisioning and RBAC. Developer virtual keys can be provisioned automatically on SSO login.

Guardrails. Content safety, PII redaction, and custom policies can be applied to all Claude Code traffic via Bifrost's guardrails integration, which connects to AWS Bedrock Guardrails, Azure Content Safety, and custom regex patterns.

In-VPC deployment. For teams that cannot allow any traffic to leave the private network, Bifrost deploys inside a VPC with no external dependencies required at runtime.

Benchmarks show Bifrost adds 11 microseconds of mean overhead at 5,000 requests per second, which is within measurement noise for interactive coding sessions.

What Engineers Experience

From a developer's perspective, nothing changes. They run claude, write code, and Claude Code responds. The Bedrock routing, SigV4 signing, model aliasing, and governance controls are transparent. The only visible difference is the model name shown in /status and the budget dashboard that engineering managers gain access to.

Teams that have adopted this architecture report two operational benefits: centralized credential management (rotating a single IAM key in Bifrost propagates to every developer immediately) and cost visibility (per-developer spend becomes queryable rather than requiring AWS Cost Explorer queries filtered by tag).

For organizations evaluating this setup, the LLM Gateway Buyer's Guide covers the full capability matrix including compliance certifications, deployment models, and governance requirements.

To see how Bifrost can route your Claude Code deployments through AWS Bedrock with enterprise governance in place, book a demo with the Bifrost team.